09-20-2018 01:29 AM
Hi experts,
my customer needs to migrate from acs to ise. this will be for administration access of their devices. they have non-cisco devices and 1 of them is bluecoat proxy. i have tried to configure the way i think it will work but unfortunately no luck. so far below are what have i done:
1. added bluecoat vendor id(14501) on ise dictionary
2. added attribute for admin access. admin access id = 2
3. added attribute for read only access. read only = 1
4. created device profile for bluecoat. using the newly added radius attribute
5. created a policy with the result of "administrative" for admin access. and "login" for read only access.
during testing authentication is successful but doesnt go thru to proxy gui access. the device is re-prompting to username and password window.
anybody have tried this setup ? or maybe can point me to a good document. thanks in advance.
regards,
chris
09-29-2018 08:50 AM
Hi Chris,
Add Bluecoat Proxy under Radius Vendor in ISE Dictionary with vendor id 14501
Under dictionary attribute add 2 new attribute with
Attribute Name : Blue-Coat-Authorization
Data Type: UINT32
Direction: Both
ID: 2
Another attribute with Attribute Name: Blue-Coat-Group
Data Type: UINT32
Direction: Both
ID: 1
Under Authorization profile,use network device profile as Bluecoat,then in Advance attribute call the above 2 attributes as:
Blue-Coat-Authorization = 2
Blue-Coat-Group = 2
10-07-2018 07:44 PM
Hi,
thanks for the reply. I have tried what you have suggested but sorry to say that it doesn't work. im talking to cisco tac about it. thanks
regards,
Chris
06-03-2019 02:06 PM
I see that there has not been anything posted as to a resolution on this. I have tried the same process and found it to not work as expected.
Can someone that has been able to verify a working configuration please respond.
Thank you,
06-03-2019 02:47 PM
Hello :)
on the authorization profile how did you create it and what was the response from ISE, kindly note i don't have a verified test
however will help you here to have the profile as per this
VENDOR BlueCoat 14501 |
BEGIN-VENDOR BlueCoat |
ATTRIBUTE Blue-Coat-Group 1 string |
# Accepts multiple groups as comma-separated list. |
ATTRIBUTE Blue-Coat-Authorization 2 integer |
VALUE Blue-Coat-Authorization No-Access 0 |
VALUE Blue-Coat-Authorization Read-Only-Access 1 |
VALUE Blue-Coat-Authorization Read-Write-Access 2 |
END-VENDOR BlueCoat
in some of the answers i am seeing a respond for group with integer which is not correct since in group we should send group name,
based on your explanation you are only pushing read only or read-write which is identified as integer
1 for read
2 for read write
can you please double check the dictionary
then make sure your authorization profile pushing something like this.
Access Type = ACCESS_ACCEPT
Blue-Coat-Authorization = 2
let me know how it goes
Wishes,
06-08-2019 02:27 AM
Hi,
for bluecoat admin access "result":
under "Advanced attributes settings" choose:
Radius:Service-Type = Administrative
this will give attribute details as:
access type = ACCESS_ACCEPT
service-type = 5
for bluecoat read-only access "result":
under "Advanced attributes settings" choose:
Radius:Service-Type = Login
this will give attribute details as:
access type = ACCESS_ACCEPT
service-type = 1
i believe on bluecoat side you also need to do some configurations unfortunately i cant remember what and where it should be configured.
hope this helps.
06-08-2019 02:28 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide